[teiid-issues] [JBoss JIRA] (TEIID-2803) Provide SAML support for OData Transport

Ramesh Reddy (JIRA) issues at jboss.org
Mon Jan 27 12:43:28 EST 2014 

    [ https://issues.jboss.org/browse/TEIID-2803?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12939082#comment-12939082 ] 

Ramesh Reddy commented on TEIID-2803:
-------------------------------------

My goal for this JIRA was to use Picketlink as Service Provider and use any other external IDP like Shibboleth, OpenAM (OpenSSO) to do a real world scenario. Here is what I have been tried so far.

Picket Link: 
 * All the examples show Picketlink IDP and Picketlink SP. I have asked for example with other IDP here https://community.jboss.org/thread/236380 so far nobody replied. It seems to me that Picketlink team only verified with their own IDP and SP. It may work with others but no such examples found. I found couple threads (https://community.jboss.org/thread/163295?tstart=0) where community users were trying to work with Shibboleth but not much further info than look at the code. If I was the security expert I could have -:(

* I tried with my very limited SAML knowledge TestShib (http://www.testshib.org) a Shibboleth as IDP and PicketLink as SP with sales-metadata example that PicketLink provides with modifications to sp-metadata and certificates etc, but this was with no success. I suspect my configuration was wrong, but can not verify it authoritatively.

* Picketlink seems to provide different types of examples, plain, using certificates and using metadata. Shibboleth had one way, which was similar to metadata example. So, it was little confusing as to why separate examples. IMO, interoperabilty should be one of the main features of these products, as more users will be developing the SP to work with their enterprise IDP.

* I gave up and finally tried Picketlink IDP with Picketlink SP, the examples worked fine within few minutes, except for one example that "metadata" based. It seemed like IDP and SP were redirecting to each other in a loop after the authentication. For me this was only example I really cared (see above for my reason) 

* My another requirement was to support OAuth2, not sure Picketlink provides that.

* Picketlink also provides "subsystem" for JBoss EAP 6.1. I installed and tried an example. I did like the way how this was supported. In this scenario, the SP developer does NOT need to configure anything in their WAR files, all the configuration is done in standalone.xml file which was perfect, because I did not have to do anything as SP developer. But, I found that this configuration also favors Picketlink IDP, not sure it can be used with external IDP (I have to try this next) 

CXF:

* CXF seems to provide support for both SAML SSO and OAuth1 & 2
* CXF claims to their SP tested with other external vendors. I asked for a example in their community (http://cxf.547215.n5.nabble.com/Any-CXF-examples-that-show-SAML-usage-with-IDP-td5739033.html#a5739044) within minutes I had a response with an example.
* When I tried their example as is, I had lot of CNF exceptions in JBoss EAP 6.1, obviously I need to do lot more work here to resolve dependencies. Seems like there were lot of these.
* The bad part here is in JBoss EAP, CXF is the chosen JAX-RS implementation, so I am not sure, if I will be able to use just their security aspect of the libraries along with Resteasy and implement the feature. Otherwise downstream productization and support will be hard.

                
> Provide SAML support for OData Transport
> ----------------------------------------
>
>                 Key: TEIID-2803
>                 URL: https://issues.jboss.org/browse/TEIID-2803
>             Project: Teiid
>          Issue Type: Feature Request
>          Components: OData
>            Reporter: Ramesh Reddy
>            Assignee: Ramesh Reddy
>             Fix For: 8.7
>
>
> Provide SAML based security authentication support for OData transport. Provide a capability for user to configure their own STS provider.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the teiid-issues mailing list